When using container-managed authentication for a web application,
GlassFish uses a "JSESSIONIDSSO" cookie to manage SSO. Is there any
configuration setting which will control whether or not this cookie is
set with the "secure" flag?
The behavior I've witnessed is that the cookie will automatically be set
as "secure" if the HTTP request came via a secure connection, and not if
it didn't. This is certainly a reasonable default, but it'd be nice to
have the ability to override it in special circumstances. (In our case,
we want to ensure that SSO works on HTTP pages even when the initial
login occurred via HTTPS.)
In GlassFish's org.apache.catalina.authenticator.AuthenticatorBase, I see:
String value = generateSessionId();
Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, value);
cookie.setMaxAge(-1);
cookie.setPath("/");
cookie.setSecure(hreq.isSecure());
hres.addCookie(cookie);
So it appears that the only way to force it into a 'setSecure(false)'
case would be if we could force our HttpServletRequest to return false
for the isSecure call. I believe that's possible in Tomcat (setting
'secure="false"' in server.xml, as documented at
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html). Is there any
similar setting in GlassFish? (In other words, is there a way to force
isSecure() to return false for an HttpServletRequest even if it really
is HTTPS?) Or is there some other approach that could handle this scenario?
Thanks,
Jamey